The Samba-Bugzilla – Attachment 8681 Details for
Bug 9740
Add samba-tool dbcheck --reset-well-known-acls
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patches cherry-picked from master
dbcheck.patch (text/plain), 118.92 KB, created by
Andrew Bartlett
on 2013-03-25 13:40:27 UTC
(
hide
)
Description:
patches cherry-picked from master
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2013-03-25 13:40:27 UTC
Size:
118.92 KB
patch
obsolete
>From 64f324d9ba949590e5ff008ec1af2ad84dcb3f59 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 20 Mar 2013 14:12:26 +1100 >Subject: [PATCH 01/12] scripting: Move the list of well known SDs to > samba.provision.descriptor > >This will allow us to call this from dbcheck. > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 3da89b01faebba669434b07db344c203a4521ca2) >--- > python/samba/provision/descriptor.py | 58 ++++++++++++++++++++++ > source4/scripting/bin/samba_upgradeprovision | 73 +--------------------------- > 2 files changed, 60 insertions(+), 71 deletions(-) > >diff --git a/python/samba/provision/descriptor.py b/python/samba/provision/descriptor.py >index 32e91ed..df541c2 100644 >--- a/python/samba/provision/descriptor.py >+++ b/python/samba/provision/descriptor.py >@@ -28,6 +28,7 @@ > > from samba.dcerpc import security > from samba.ndr import ndr_pack >+from samba.schema import get_schema_descriptor > > # Descriptors of naming contexts and other important objects > >@@ -357,3 +358,60 @@ def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}): > "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ > "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" > return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_wellknown_sds(names): >+ >+ # Then subcontainers >+ subcontainers = [ >+ ("%s" % str(names.domaindn), get_domain_descriptor), >+ ("CN=LostAndFound,%s" % str(names.domaindn), get_domain_delete_protected2_descriptor), >+ ("CN=System,%s" % str(names.domaindn), get_domain_delete_protected1_descriptor), >+ ("CN=Infrastructure,%s" % str(names.domaindn), get_domain_infrastructure_descriptor), >+ ("CN=Builtin,%s" % str(names.domaindn), get_domain_builtin_descriptor), >+ ("CN=Computers,%s" % str(names.domaindn), get_domain_computers_descriptor), >+ ("CN=Users,%s" % str(names.domaindn), get_domain_users_descriptor), >+ ("OU=Domain Controllers,%s" % str(names.domaindn), get_domain_controllers_descriptor), >+ ("CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn), get_dns_domain_microsoft_dns_descriptor), >+ >+ ("%s" % str(names.configdn), get_config_descriptor), >+ ("CN=NTDS Quotas,%s" % str(names.configdn), get_config_ntds_quotas_descriptor), >+ ("CN=LostAndFoundConfig,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >+ ("CN=Services,%s" % str(names.configdn), get_config_delete_protected1_descriptor), >+ ("CN=Physical Locations,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >+ ("CN=WellKnown Security Principals,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >+ ("CN=ForestUpdates,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >+ ("CN=DisplaySpecifiers,%s" % str(names.configdn), get_config_delete_protected2_descriptor), >+ ("CN=Extended-Rights,%s" % str(names.configdn), get_config_delete_protected2_descriptor), >+ ("CN=Partitions,%s" % str(names.configdn), get_config_partitions_descriptor), >+ ("CN=Sites,%s" % str(names.configdn), get_config_sites_descriptor), >+ >+ ("%s" % str(names.schemadn), get_schema_descriptor), >+ ] >+ >+ if names.dnsforestdn is not None: >+ c = ("%s" % str(names.dnsforestdn), get_dns_partition_descriptor) >+ subcontainers.append(c) >+ c = ("CN=Infrastructure,%s" % str(names.dnsforestdn), >+ get_domain_delete_protected1_descriptor) >+ subcontainers.append(c) >+ c = ("CN=LostAndFound,%s" % str(names.dnsforestdn), >+ get_domain_delete_protected2_descriptor) >+ subcontainers.append(c) >+ c = ("CN=MicrosoftDNS,%s" % str(names.dnsforestdn), >+ get_dns_forest_microsoft_dns_descriptor) >+ subcontainers.append(c) >+ >+ if names.dnsdomaindn is not None: >+ c = ("%s" % str(names.dnsdomaindn), get_dns_partition_descriptor) >+ subcontainers.append(c) >+ c = ("CN=Infrastructure,%s" % str(names.dnsdomaindn), >+ get_domain_delete_protected1_descriptor) >+ subcontainers.append(c) >+ c = ("CN=LostAndFound,%s" % str(names.dnsdomaindn), >+ get_domain_delete_protected2_descriptor) >+ subcontainers.append(c) >+ c = ("CN=MicrosoftDNS,%s" % str(names.dnsdomaindn), >+ get_dns_domain_microsoft_dns_descriptor) >+ subcontainers.append(c) >+ >+ return subcontainers >diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision >index 8e7d792..0ca70b5 100755 >--- a/source4/scripting/bin/samba_upgradeprovision >+++ b/source4/scripting/bin/samba_upgradeprovision >@@ -46,26 +46,8 @@ from ldb import (SCOPE_SUBTREE, SCOPE_BASE, > MessageElement, Message, Dn, LdbError) > from samba import param, dsdb, Ldb > from samba.common import confirm >+from samba.provision.descriptor import get_wellknown_sds, get_empty_descriptor > from samba.provision import (find_provision_key_parameters, >- get_empty_descriptor, >- get_config_descriptor, >- get_config_partitions_descriptor, >- get_config_sites_descriptor, >- get_config_ntds_quotas_descriptor, >- get_config_delete_protected1_descriptor, >- get_config_delete_protected1wd_descriptor, >- get_config_delete_protected2_descriptor, >- get_domain_descriptor, >- get_domain_infrastructure_descriptor, >- get_domain_builtin_descriptor, >- get_domain_computers_descriptor, >- get_domain_users_descriptor, >- get_domain_controllers_descriptor, >- get_domain_delete_protected1_descriptor, >- get_domain_delete_protected2_descriptor, >- get_dns_partition_descriptor, >- get_dns_forest_microsoft_dns_descriptor, >- get_dns_domain_microsoft_dns_descriptor, > ProvisioningError, get_last_provision_usn, > get_max_usn, update_provision_usn, setup_path) > from samba.schema import get_linked_attributes, Schema, get_schema_descriptor >@@ -1229,58 +1211,7 @@ def fix_wellknown_sd(samdb, names): > > list_wellknown_dns = [] > >- # Then subcontainers >- subcontainers = [ >- ("%s" % str(names.domaindn), get_domain_descriptor), >- ("CN=LostAndFound,%s" % str(names.domaindn), get_domain_delete_protected2_descriptor), >- ("CN=System,%s" % str(names.domaindn), get_domain_delete_protected1_descriptor), >- ("CN=Infrastructure,%s" % str(names.domaindn), get_domain_infrastructure_descriptor), >- ("CN=Builtin,%s" % str(names.domaindn), get_domain_builtin_descriptor), >- ("CN=Computers,%s" % str(names.domaindn), get_domain_computers_descriptor), >- ("CN=Users,%s" % str(names.domaindn), get_domain_users_descriptor), >- ("OU=Domain Controllers,%s" % str(names.domaindn), get_domain_controllers_descriptor), >- ("CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn), get_dns_domain_microsoft_dns_descriptor), >- >- ("%s" % str(names.configdn), get_config_descriptor), >- ("CN=NTDS Quotas,%s" % str(names.configdn), get_config_ntds_quotas_descriptor), >- ("CN=LostAndFoundConfig,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >- ("CN=Services,%s" % str(names.configdn), get_config_delete_protected1_descriptor), >- ("CN=Physical Locations,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >- ("CN=WellKnown Security Principals,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >- ("CN=ForestUpdates,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >- ("CN=DisplaySpecifiers,%s" % str(names.configdn), get_config_delete_protected2_descriptor), >- ("CN=Extended-Rights,%s" % str(names.configdn), get_config_delete_protected2_descriptor), >- ("CN=Partitions,%s" % str(names.configdn), get_config_partitions_descriptor), >- ("CN=Sites,%s" % str(names.configdn), get_config_sites_descriptor), >- >- ("%s" % str(names.schemadn), get_schema_descriptor), >- ] >- >- if names.dnsforestdn is not None: >- c = ("%s" % str(names.dnsforestdn), get_dns_partition_descriptor) >- subcontainers.append(c) >- c = ("CN=Infrastructure,%s" % str(names.dnsforestdn), >- get_domain_delete_protected1_descriptor) >- subcontainers.append(c) >- c = ("CN=LostAndFound,%s" % str(names.dnsforestdn), >- get_domain_delete_protected2_descriptor) >- subcontainers.append(c) >- c = ("CN=MicrosoftDNS,%s" % str(names.dnsforestdn), >- get_dns_forest_microsoft_dns_descriptor) >- subcontainers.append(c) >- >- if names.dnsdomaindn is not None: >- c = ("%s" % str(names.dnsdomaindn), get_dns_partition_descriptor) >- subcontainers.append(c) >- c = ("CN=Infrastructure,%s" % str(names.dnsdomaindn), >- get_domain_delete_protected1_descriptor) >- subcontainers.append(c) >- c = ("CN=LostAndFound,%s" % str(names.dnsdomaindn), >- get_domain_delete_protected2_descriptor) >- subcontainers.append(c) >- c = ("CN=MicrosoftDNS,%s" % str(names.dnsdomaindn), >- get_dns_domain_microsoft_dns_descriptor) >- subcontainers.append(c) >+ subcontainers = get_wellknown_sds(names) > > for [strdn, descriptor_fn] in subcontainers: > dn = Dn(samdb, strdn) >-- >1.7.11.7 > > >From 25b4bec0b815cd4889b316e61d2ab79286981ffc Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 20 Mar 2013 14:50:55 +1100 >Subject: [PATCH 02/12] scripting: Fix documentation comment on > upgradehelpers.py:get_clean_sd > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 6df17fe799968ca7e2f92ce9e294e3962ac8cbaf) >--- > python/samba/upgradehelpers.py | 11 +++-------- > 1 file changed, 3 insertions(+), 8 deletions(-) > >diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py >index 298e767..13a3691 100644 >--- a/python/samba/upgradehelpers.py >+++ b/python/samba/upgradehelpers.py >@@ -347,15 +347,10 @@ def chunck_sddl(sddl): > > > def get_clean_sd(sd): >- """Get the SD without difference between 2 sddl >+ """Get the SD without any inherited ACEs > >- This function split the textual representation of ACL into smaller >- chunck in order to not to report a simple permutation as a difference >- >- :param refsddl: First sddl to compare >- :param cursddl: Second sddl to compare >- :param checkSacl: If false we skip the sacl checks >- :return: A string that explain difference between sddls >+ :param sd: SD to strip >+ :return: An SD with inherited ACEs stripped > """ > > sd_clean = security.descriptor() >-- >1.7.11.7 > > >From 5e573befced1c81de9b8b5fcb3ccb2b43cd1935d Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 21 Mar 2013 12:49:46 +1100 >Subject: [PATCH 03/12] scripting: Make > samba.provision.descriptor.get_wellknown_sds() return > ldb.Dn objects > >As we look to use this function in more places, it does not make sense to constantly create >Dn objects from the strings. > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit e81a97dd6fc2da701f2cbf42513311a7a44adad3) >--- > python/samba/provision/descriptor.py | 65 ++++++++++++++-------------- > source4/scripting/bin/samba_upgradeprovision | 5 +-- > 2 files changed, 35 insertions(+), 35 deletions(-) > >diff --git a/python/samba/provision/descriptor.py b/python/samba/provision/descriptor.py >index df541c2..9916a22 100644 >--- a/python/samba/provision/descriptor.py >+++ b/python/samba/provision/descriptor.py >@@ -29,6 +29,7 @@ > from samba.dcerpc import security > from samba.ndr import ndr_pack > from samba.schema import get_schema_descriptor >+import ldb > > # Descriptors of naming contexts and other important objects > >@@ -359,58 +360,58 @@ def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}): > "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" > return sddl2binary(sddl, domain_sid, name_map) > >-def get_wellknown_sds(names): >+def get_wellknown_sds(names, samdb): > > # Then subcontainers > subcontainers = [ >- ("%s" % str(names.domaindn), get_domain_descriptor), >- ("CN=LostAndFound,%s" % str(names.domaindn), get_domain_delete_protected2_descriptor), >- ("CN=System,%s" % str(names.domaindn), get_domain_delete_protected1_descriptor), >- ("CN=Infrastructure,%s" % str(names.domaindn), get_domain_infrastructure_descriptor), >- ("CN=Builtin,%s" % str(names.domaindn), get_domain_builtin_descriptor), >- ("CN=Computers,%s" % str(names.domaindn), get_domain_computers_descriptor), >- ("CN=Users,%s" % str(names.domaindn), get_domain_users_descriptor), >- ("OU=Domain Controllers,%s" % str(names.domaindn), get_domain_controllers_descriptor), >- ("CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn), get_dns_domain_microsoft_dns_descriptor), >- >- ("%s" % str(names.configdn), get_config_descriptor), >- ("CN=NTDS Quotas,%s" % str(names.configdn), get_config_ntds_quotas_descriptor), >- ("CN=LostAndFoundConfig,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >- ("CN=Services,%s" % str(names.configdn), get_config_delete_protected1_descriptor), >- ("CN=Physical Locations,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >- ("CN=WellKnown Security Principals,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >- ("CN=ForestUpdates,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor), >- ("CN=DisplaySpecifiers,%s" % str(names.configdn), get_config_delete_protected2_descriptor), >- ("CN=Extended-Rights,%s" % str(names.configdn), get_config_delete_protected2_descriptor), >- ("CN=Partitions,%s" % str(names.configdn), get_config_partitions_descriptor), >- ("CN=Sites,%s" % str(names.configdn), get_config_sites_descriptor), >- >- ("%s" % str(names.schemadn), get_schema_descriptor), >+ (ldb.Dn(samdb, "%s" % str(names.domaindn)), get_domain_descriptor), >+ (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.domaindn)), get_domain_delete_protected2_descriptor), >+ (ldb.Dn(samdb, "CN=System,%s" % str(names.domaindn)), get_domain_delete_protected1_descriptor), >+ (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.domaindn)), get_domain_infrastructure_descriptor), >+ (ldb.Dn(samdb, "CN=Builtin,%s" % str(names.domaindn)), get_domain_builtin_descriptor), >+ (ldb.Dn(samdb, "CN=Computers,%s" % str(names.domaindn)), get_domain_computers_descriptor), >+ (ldb.Dn(samdb, "CN=Users,%s" % str(names.domaindn)), get_domain_users_descriptor), >+ (ldb.Dn(samdb, "OU=Domain Controllers,%s" % str(names.domaindn)), get_domain_controllers_descriptor), >+ (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn)), get_dns_domain_microsoft_dns_descriptor), >+ >+ (ldb.Dn(samdb, "%s" % str(names.configdn)), get_config_descriptor), >+ (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(names.configdn)), get_config_ntds_quotas_descriptor), >+ (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=Services,%s" % str(names.configdn)), get_config_delete_protected1_descriptor), >+ (ldb.Dn(samdb, "CN=Physical Locations,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=WellKnown Security Principals,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=ForestUpdates,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=DisplaySpecifiers,%s" % str(names.configdn)), get_config_delete_protected2_descriptor), >+ (ldb.Dn(samdb, "CN=Extended-Rights,%s" % str(names.configdn)), get_config_delete_protected2_descriptor), >+ (ldb.Dn(samdb, "CN=Partitions,%s" % str(names.configdn)), get_config_partitions_descriptor), >+ (ldb.Dn(samdb, "CN=Sites,%s" % str(names.configdn)), get_config_sites_descriptor), >+ >+ (ldb.Dn(samdb, "%s" % str(names.schemadn)), get_schema_descriptor), > ] > > if names.dnsforestdn is not None: >- c = ("%s" % str(names.dnsforestdn), get_dns_partition_descriptor) >+ c = (ldb.Dn(samdb, "%s" % str(names.dnsforestdn)), get_dns_partition_descriptor) > subcontainers.append(c) >- c = ("CN=Infrastructure,%s" % str(names.dnsforestdn), >+ c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsforestdn)), > get_domain_delete_protected1_descriptor) > subcontainers.append(c) >- c = ("CN=LostAndFound,%s" % str(names.dnsforestdn), >+ c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsforestdn)), > get_domain_delete_protected2_descriptor) > subcontainers.append(c) >- c = ("CN=MicrosoftDNS,%s" % str(names.dnsforestdn), >+ c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsforestdn)), > get_dns_forest_microsoft_dns_descriptor) > subcontainers.append(c) > > if names.dnsdomaindn is not None: >- c = ("%s" % str(names.dnsdomaindn), get_dns_partition_descriptor) >+ c = (ldb.Dn(samdb, "%s" % str(names.dnsdomaindn)), get_dns_partition_descriptor) > subcontainers.append(c) >- c = ("CN=Infrastructure,%s" % str(names.dnsdomaindn), >+ c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsdomaindn)), > get_domain_delete_protected1_descriptor) > subcontainers.append(c) >- c = ("CN=LostAndFound,%s" % str(names.dnsdomaindn), >+ c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsdomaindn)), > get_domain_delete_protected2_descriptor) > subcontainers.append(c) >- c = ("CN=MicrosoftDNS,%s" % str(names.dnsdomaindn), >+ c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsdomaindn)), > get_dns_domain_microsoft_dns_descriptor) > subcontainers.append(c) > >diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision >index 0ca70b5..c6fc8f2 100755 >--- a/source4/scripting/bin/samba_upgradeprovision >+++ b/source4/scripting/bin/samba_upgradeprovision >@@ -1211,10 +1211,9 @@ def fix_wellknown_sd(samdb, names): > > list_wellknown_dns = [] > >- subcontainers = get_wellknown_sds(names) >+ subcontainers = get_wellknown_sds(names, samdb) > >- for [strdn, descriptor_fn] in subcontainers: >- dn = Dn(samdb, strdn) >+ for [dn, descriptor_fn] in subcontainers: > list_wellknown_dns.append(dn) > if dn in dnToRecalculate: > delta = Message() >-- >1.7.11.7 > > >From 6388e27d945f42ce1bfbc12e5d2d411b7200b561 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 21 Mar 2013 13:34:26 +1100 >Subject: [PATCH 04/12] scripting: Move samba.provision.descriptor to > samba.descriptor > >This will allow dbcheck to import it, without a cirucular dependency via >samba.provision importing dbcheck. > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 352aff8ed7e06c14b7a00a56b31c79ffddf71dd4) >--- > python/samba/descriptor.py | 418 +++++++++++++++++++++++++++ > python/samba/provision/__init__.py | 2 +- > python/samba/provision/descriptor.py | 418 --------------------------- > python/samba/provision/sambadns.py | 2 +- > source4/scripting/bin/samba_upgradeprovision | 2 +- > 5 files changed, 421 insertions(+), 421 deletions(-) > create mode 100644 python/samba/descriptor.py > delete mode 100644 python/samba/provision/descriptor.py > >diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py >new file mode 100644 >index 0000000..9916a22 >--- /dev/null >+++ b/python/samba/descriptor.py >@@ -0,0 +1,418 @@ >+ >+# Unix SMB/CIFS implementation. >+# backend code for provisioning a Samba4 server >+ >+# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2010 >+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008-2009 >+# Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009 >+# Copyright (C) Amitay Isaacs <amitay@samba.org> 2011 >+# >+# Based on the original in EJS: >+# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+"""Functions for setting up a Samba configuration (security descriptors).""" >+ >+from samba.dcerpc import security >+from samba.ndr import ndr_pack >+from samba.schema import get_schema_descriptor >+import ldb >+ >+# Descriptors of naming contexts and other important objects >+ >+def sddl2binary(sddl_in, domain_sid, name_map): >+ sddl = "%s" % sddl_in >+ >+ for [name, sid] in name_map.items(): >+ sddl = sddl.replace(name, sid) >+ >+ sec = security.descriptor.from_sddl(sddl, domain_sid) >+ return ndr_pack(sec) >+ >+def get_empty_descriptor(domain_sid, name_map={}): >+ sddl= "" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+# "get_schema_descriptor" is located in "schema.py" >+ >+def get_config_descriptor(domain_sid, name_map={}): >+ sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(A;;RPLCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIO;RPWPCRCCLCLORCWOWDSDSW;;;DA)" \ >+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ >+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ >+ "S:(AU;SA;WPWOWD;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)" \ >+ "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_config_partitions_descriptor(domain_sid, name_map={}): >+ sddl = "D:" \ >+ "(A;;LCLORC;;;AU)" \ >+ "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" \ >+ "(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)" \ >+ "(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)" \ >+ "(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)" \ >+ "(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)" \ >+ "(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "(A;;CC;;;ED)" \ >+ "(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)" \ >+ "S:" \ >+ "(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_config_sites_descriptor(domain_sid, name_map={}): >+ sddl = "D:" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "S:" \ >+ "(AU;CISA;CCDCSDDT;;;WD)" \ >+ "(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)" \ >+ "(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_config_ntds_quotas_descriptor(domain_sid, name_map={}): >+ sddl = "D:" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ >+ "(A;;RPLCLORC;;;BA)" \ >+ "(OA;;CR;4ecc03fe-ffc0-4947-b630-eb672a8a9dbc;;WD)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_config_delete_protected1_descriptor(domain_sid, name_map={}): >+ sddl = "D:AI" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_config_delete_protected1wd_descriptor(domain_sid, name_map={}): >+ sddl = "D:AI" \ >+ "(A;;RPLCLORC;;;WD)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_config_delete_protected2_descriptor(domain_sid, name_map={}): >+ sddl = "D:AI" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSW;;;EA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_domain_descriptor(domain_sid, name_map={}): >+ sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ >+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ >+ "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ >+ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ >+ "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \ >+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ >+ "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \ >+ "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \ >+ "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >+ "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ >+ "(A;;RPRC;;;RU)" \ >+ "(A;CI;LC;;;RU)" \ >+ "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \ >+ "(A;;RP;;;WD)" \ >+ "(A;;RPLCLORC;;;ED)" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "S:AI(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_domain_infrastructure_descriptor(domain_sid, name_map={}): >+ sddl = "D:" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "S:" \ >+ "(AU;SA;WPCR;;;WD)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_domain_builtin_descriptor(domain_sid, name_map={}): >+ sddl = "D:" \ >+ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ >+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ >+ "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ >+ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ >+ "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \ >+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ >+ "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \ >+ "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \ >+ "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >+ "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ >+ "(A;;RPRC;;;RU)" \ >+ "(A;CI;LC;;;RU)" \ >+ "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \ >+ "(A;;RP;;;WD)" \ >+ "(A;;RPLCLORC;;;ED)" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "S:" \ >+ "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(AU;SA;CR;;;DU)" \ >+ "(AU;SA;CR;;;BA)" \ >+ "(AU;SA;WPWOWD;;;WD)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_domain_computers_descriptor(domain_sid, name_map={}): >+ sddl = "D:" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \ >+ "(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)" \ >+ "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \ >+ "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \ >+ "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \ >+ "S:" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_domain_users_descriptor(domain_sid, name_map={}): >+ sddl = "D:" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \ >+ "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \ >+ "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \ >+ "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \ >+ "S:" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_domain_controllers_descriptor(domain_sid, name_map={}): >+ sddl = "D:" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "(A;;RPLCLORC;;;ED)" \ >+ "S:" \ >+ "(AU;SA;CCDCWOWDSDDT;;;WD)" \ >+ "(AU;CISA;WP;;;WD)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_domain_delete_protected1_descriptor(domain_sid, name_map={}): >+ sddl = "D:AI" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_domain_delete_protected2_descriptor(domain_sid, name_map={}): >+ sddl = "D:AI" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_dns_partition_descriptor(domain_sid, name_map={}): >+ sddl = "O:SYG:BAD:AI" \ >+ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ >+ "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ >+ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ >+ "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \ >+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ >+ "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \ >+ "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \ >+ "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >+ "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ >+ "(A;;RPRC;;;RU)" \ >+ "(A;CI;LC;;;RU)" \ >+ "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \ >+ "(A;;RP;;;WD)" \ >+ "(A;;RPLCLORC;;;ED)" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "S:AI" \ >+ "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_dns_forest_microsoft_dns_descriptor(domain_sid, name_map={}): >+ sddl = "O:SYG:SYD:AI" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}): >+ sddl = "O:SYG:SYD:AI" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" \ >+ "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;DnsAdmins)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" >+ return sddl2binary(sddl, domain_sid, name_map) >+ >+def get_wellknown_sds(names, samdb): >+ >+ # Then subcontainers >+ subcontainers = [ >+ (ldb.Dn(samdb, "%s" % str(names.domaindn)), get_domain_descriptor), >+ (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.domaindn)), get_domain_delete_protected2_descriptor), >+ (ldb.Dn(samdb, "CN=System,%s" % str(names.domaindn)), get_domain_delete_protected1_descriptor), >+ (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.domaindn)), get_domain_infrastructure_descriptor), >+ (ldb.Dn(samdb, "CN=Builtin,%s" % str(names.domaindn)), get_domain_builtin_descriptor), >+ (ldb.Dn(samdb, "CN=Computers,%s" % str(names.domaindn)), get_domain_computers_descriptor), >+ (ldb.Dn(samdb, "CN=Users,%s" % str(names.domaindn)), get_domain_users_descriptor), >+ (ldb.Dn(samdb, "OU=Domain Controllers,%s" % str(names.domaindn)), get_domain_controllers_descriptor), >+ (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn)), get_dns_domain_microsoft_dns_descriptor), >+ >+ (ldb.Dn(samdb, "%s" % str(names.configdn)), get_config_descriptor), >+ (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(names.configdn)), get_config_ntds_quotas_descriptor), >+ (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=Services,%s" % str(names.configdn)), get_config_delete_protected1_descriptor), >+ (ldb.Dn(samdb, "CN=Physical Locations,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=WellKnown Security Principals,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=ForestUpdates,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=DisplaySpecifiers,%s" % str(names.configdn)), get_config_delete_protected2_descriptor), >+ (ldb.Dn(samdb, "CN=Extended-Rights,%s" % str(names.configdn)), get_config_delete_protected2_descriptor), >+ (ldb.Dn(samdb, "CN=Partitions,%s" % str(names.configdn)), get_config_partitions_descriptor), >+ (ldb.Dn(samdb, "CN=Sites,%s" % str(names.configdn)), get_config_sites_descriptor), >+ >+ (ldb.Dn(samdb, "%s" % str(names.schemadn)), get_schema_descriptor), >+ ] >+ >+ if names.dnsforestdn is not None: >+ c = (ldb.Dn(samdb, "%s" % str(names.dnsforestdn)), get_dns_partition_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsforestdn)), >+ get_domain_delete_protected1_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsforestdn)), >+ get_domain_delete_protected2_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsforestdn)), >+ get_dns_forest_microsoft_dns_descriptor) >+ subcontainers.append(c) >+ >+ if names.dnsdomaindn is not None: >+ c = (ldb.Dn(samdb, "%s" % str(names.dnsdomaindn)), get_dns_partition_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsdomaindn)), >+ get_domain_delete_protected1_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsdomaindn)), >+ get_domain_delete_protected2_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsdomaindn)), >+ get_dns_domain_microsoft_dns_descriptor) >+ subcontainers.append(c) >+ >+ return subcontainers >diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py >index a5385e7..32baac6 100644 >--- a/python/samba/provision/__init__.py >+++ b/python/samba/provision/__init__.py >@@ -76,7 +76,7 @@ from samba.provision.backend import ( > LDBBackend, > OpenLDAPBackend, > ) >-from samba.provision.descriptor import ( >+from samba.descriptor import ( > get_empty_descriptor, > get_config_descriptor, > get_config_partitions_descriptor, >diff --git a/python/samba/provision/descriptor.py b/python/samba/provision/descriptor.py >deleted file mode 100644 >index 9916a22..0000000 >--- a/python/samba/provision/descriptor.py >+++ /dev/null >@@ -1,418 +0,0 @@ >- >-# Unix SMB/CIFS implementation. >-# backend code for provisioning a Samba4 server >- >-# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2010 >-# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008-2009 >-# Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009 >-# Copyright (C) Amitay Isaacs <amitay@samba.org> 2011 >-# >-# Based on the original in EJS: >-# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005 >-# >-# This program is free software; you can redistribute it and/or modify >-# it under the terms of the GNU General Public License as published by >-# the Free Software Foundation; either version 3 of the License, or >-# (at your option) any later version. >-# >-# This program is distributed in the hope that it will be useful, >-# but WITHOUT ANY WARRANTY; without even the implied warranty of >-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >-# GNU General Public License for more details. >-# >-# You should have received a copy of the GNU General Public License >-# along with this program. If not, see <http://www.gnu.org/licenses/>. >-# >- >-"""Functions for setting up a Samba configuration (security descriptors).""" >- >-from samba.dcerpc import security >-from samba.ndr import ndr_pack >-from samba.schema import get_schema_descriptor >-import ldb >- >-# Descriptors of naming contexts and other important objects >- >-def sddl2binary(sddl_in, domain_sid, name_map): >- sddl = "%s" % sddl_in >- >- for [name, sid] in name_map.items(): >- sddl = sddl.replace(name, sid) >- >- sec = security.descriptor.from_sddl(sddl, domain_sid) >- return ndr_pack(sec) >- >-def get_empty_descriptor(domain_sid, name_map={}): >- sddl= "" >- return sddl2binary(sddl, domain_sid, name_map) >- >-# "get_schema_descriptor" is located in "schema.py" >- >-def get_config_descriptor(domain_sid, name_map={}): >- sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(A;;RPLCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIO;RPWPCRCCLCLORCWOWDSDSW;;;DA)" \ >- "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ >- "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ >- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ >- "S:(AU;SA;WPWOWD;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)" \ >- "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_config_partitions_descriptor(domain_sid, name_map={}): >- sddl = "D:" \ >- "(A;;LCLORC;;;AU)" \ >- "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" \ >- "(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)" \ >- "(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)" \ >- "(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)" \ >- "(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)" \ >- "(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)" \ >- "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >- "(A;;CC;;;ED)" \ >- "(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)" \ >- "S:" \ >- "(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_config_sites_descriptor(domain_sid, name_map={}): >- sddl = "D:" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER)" \ >- "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >- "S:" \ >- "(AU;CISA;CCDCSDDT;;;WD)" \ >- "(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)" \ >- "(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ >- "(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ >- "(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_config_ntds_quotas_descriptor(domain_sid, name_map={}): >- sddl = "D:" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ >- "(A;;RPLCLORC;;;BA)" \ >- "(OA;;CR;4ecc03fe-ffc0-4947-b630-eb672a8a9dbc;;WD)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_config_delete_protected1_descriptor(domain_sid, name_map={}): >- sddl = "D:AI" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_config_delete_protected1wd_descriptor(domain_sid, name_map={}): >- sddl = "D:AI" \ >- "(A;;RPLCLORC;;;WD)" \ >- "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_config_delete_protected2_descriptor(domain_sid, name_map={}): >- sddl = "D:AI" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSW;;;EA)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_domain_descriptor(domain_sid, name_map={}): >- sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ >- "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \ >- "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ >- "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ >- "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \ >- "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ >- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ >- "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ >- "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ >- "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \ >- "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ >- "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \ >- "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \ >- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \ >- "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ >- "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >- "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ >- "(A;;RPRC;;;RU)" \ >- "(A;CI;LC;;;RU)" \ >- "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \ >- "(A;;RP;;;WD)" \ >- "(A;;RPLCLORC;;;ED)" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >- "S:AI(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >- "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >- "(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_domain_infrastructure_descriptor(domain_sid, name_map={}): >- sddl = "D:" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >- "S:" \ >- "(AU;SA;WPCR;;;WD)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_domain_builtin_descriptor(domain_sid, name_map={}): >- sddl = "D:" \ >- "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ >- "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \ >- "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ >- "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ >- "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \ >- "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ >- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ >- "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ >- "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ >- "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \ >- "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ >- "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \ >- "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \ >- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \ >- "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ >- "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >- "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ >- "(A;;RPRC;;;RU)" \ >- "(A;CI;LC;;;RU)" \ >- "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \ >- "(A;;RP;;;WD)" \ >- "(A;;RPLCLORC;;;ED)" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >- "S:" \ >- "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >- "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >- "(AU;SA;CR;;;DU)" \ >- "(AU;SA;CR;;;BA)" \ >- "(AU;SA;WPWOWD;;;WD)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_domain_computers_descriptor(domain_sid, name_map={}): >- sddl = "D:" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \ >- "(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)" \ >- "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \ >- "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \ >- "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \ >- "S:" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_domain_users_descriptor(domain_sid, name_map={}): >- sddl = "D:" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \ >- "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \ >- "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \ >- "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \ >- "S:" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_domain_controllers_descriptor(domain_sid, name_map={}): >- sddl = "D:" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >- "(A;;RPLCLORC;;;ED)" \ >- "S:" \ >- "(AU;SA;CCDCWOWDSDDT;;;WD)" \ >- "(AU;CISA;WP;;;WD)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_domain_delete_protected1_descriptor(domain_sid, name_map={}): >- sddl = "D:AI" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_domain_delete_protected2_descriptor(domain_sid, name_map={}): >- sddl = "D:AI" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_dns_partition_descriptor(domain_sid, name_map={}): >- sddl = "O:SYG:BAD:AI" \ >- "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ >- "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ >- "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ >- "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \ >- "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ >- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >- "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ >- "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ >- "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ >- "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >- "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >- "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \ >- "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ >- "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \ >- "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \ >- "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >- "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \ >- "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ >- "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >- "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ >- "(A;;RPRC;;;RU)" \ >- "(A;CI;LC;;;RU)" \ >- "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \ >- "(A;;RP;;;WD)" \ >- "(A;;RPLCLORC;;;ED)" \ >- "(A;;RPLCLORC;;;AU)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >- "S:AI" \ >- "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >- "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >- "(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_dns_forest_microsoft_dns_descriptor(domain_sid, name_map={}): >- sddl = "O:SYG:SYD:AI" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >- "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}): >- sddl = "O:SYG:SYD:AI" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" \ >- "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;DnsAdmins)" \ >- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >- "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" >- return sddl2binary(sddl, domain_sid, name_map) >- >-def get_wellknown_sds(names, samdb): >- >- # Then subcontainers >- subcontainers = [ >- (ldb.Dn(samdb, "%s" % str(names.domaindn)), get_domain_descriptor), >- (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.domaindn)), get_domain_delete_protected2_descriptor), >- (ldb.Dn(samdb, "CN=System,%s" % str(names.domaindn)), get_domain_delete_protected1_descriptor), >- (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.domaindn)), get_domain_infrastructure_descriptor), >- (ldb.Dn(samdb, "CN=Builtin,%s" % str(names.domaindn)), get_domain_builtin_descriptor), >- (ldb.Dn(samdb, "CN=Computers,%s" % str(names.domaindn)), get_domain_computers_descriptor), >- (ldb.Dn(samdb, "CN=Users,%s" % str(names.domaindn)), get_domain_users_descriptor), >- (ldb.Dn(samdb, "OU=Domain Controllers,%s" % str(names.domaindn)), get_domain_controllers_descriptor), >- (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn)), get_dns_domain_microsoft_dns_descriptor), >- >- (ldb.Dn(samdb, "%s" % str(names.configdn)), get_config_descriptor), >- (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(names.configdn)), get_config_ntds_quotas_descriptor), >- (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >- (ldb.Dn(samdb, "CN=Services,%s" % str(names.configdn)), get_config_delete_protected1_descriptor), >- (ldb.Dn(samdb, "CN=Physical Locations,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >- (ldb.Dn(samdb, "CN=WellKnown Security Principals,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >- (ldb.Dn(samdb, "CN=ForestUpdates,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >- (ldb.Dn(samdb, "CN=DisplaySpecifiers,%s" % str(names.configdn)), get_config_delete_protected2_descriptor), >- (ldb.Dn(samdb, "CN=Extended-Rights,%s" % str(names.configdn)), get_config_delete_protected2_descriptor), >- (ldb.Dn(samdb, "CN=Partitions,%s" % str(names.configdn)), get_config_partitions_descriptor), >- (ldb.Dn(samdb, "CN=Sites,%s" % str(names.configdn)), get_config_sites_descriptor), >- >- (ldb.Dn(samdb, "%s" % str(names.schemadn)), get_schema_descriptor), >- ] >- >- if names.dnsforestdn is not None: >- c = (ldb.Dn(samdb, "%s" % str(names.dnsforestdn)), get_dns_partition_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsforestdn)), >- get_domain_delete_protected1_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsforestdn)), >- get_domain_delete_protected2_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsforestdn)), >- get_dns_forest_microsoft_dns_descriptor) >- subcontainers.append(c) >- >- if names.dnsdomaindn is not None: >- c = (ldb.Dn(samdb, "%s" % str(names.dnsdomaindn)), get_dns_partition_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsdomaindn)), >- get_domain_delete_protected1_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsdomaindn)), >- get_domain_delete_protected2_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsdomaindn)), >- get_dns_domain_microsoft_dns_descriptor) >- subcontainers.append(c) >- >- return subcontainers >diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py >index 4522683..a5a45cf 100644 >--- a/python/samba/provision/sambadns.py >+++ b/python/samba/provision/sambadns.py >@@ -36,7 +36,7 @@ from samba.dsdb import ( > DS_DOMAIN_FUNCTION_2003, > DS_DOMAIN_FUNCTION_2008_R2 > ) >-from samba.provision.descriptor import ( >+from samba.descriptor import ( > get_domain_descriptor, > get_domain_delete_protected1_descriptor, > get_domain_delete_protected2_descriptor, >diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision >index c6fc8f2..c0ce040 100755 >--- a/source4/scripting/bin/samba_upgradeprovision >+++ b/source4/scripting/bin/samba_upgradeprovision >@@ -46,7 +46,7 @@ from ldb import (SCOPE_SUBTREE, SCOPE_BASE, > MessageElement, Message, Dn, LdbError) > from samba import param, dsdb, Ldb > from samba.common import confirm >-from samba.provision.descriptor import get_wellknown_sds, get_empty_descriptor >+from samba.descriptor import get_wellknown_sds, get_empty_descriptor > from samba.provision import (find_provision_key_parameters, > ProvisioningError, get_last_provision_usn, > get_max_usn, update_provision_usn, setup_path) >-- >1.7.11.7 > > >From bf8f388040bfae4f2941745b1da8d1da50df79ba Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 22 Mar 2013 11:15:38 +1100 >Subject: [PATCH 05/12] scripting: Modify samba.descriptor.get_wellknown_sds() > use samdb calls only > >We need this routine not to use the names context as this is tied to >provision, and we end up in a circular dependency if we use that in >dbcheck. > >Andrew Bartlett >(cherry picked from commit a113ddbf881c5905bbf7072638c7ba8843eeb85e) >--- > python/samba/descriptor.py | 107 +++++++++++++++------------ > source4/scripting/bin/samba_upgradeprovision | 2 +- > 2 files changed, 59 insertions(+), 50 deletions(-) > >diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py >index 9916a22..f9fb3c6 100644 >--- a/python/samba/descriptor.py >+++ b/python/samba/descriptor.py >@@ -360,59 +360,68 @@ def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}): > "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" > return sddl2binary(sddl, domain_sid, name_map) > >-def get_wellknown_sds(names, samdb): >+def get_wellknown_sds(samdb): > > # Then subcontainers > subcontainers = [ >- (ldb.Dn(samdb, "%s" % str(names.domaindn)), get_domain_descriptor), >- (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.domaindn)), get_domain_delete_protected2_descriptor), >- (ldb.Dn(samdb, "CN=System,%s" % str(names.domaindn)), get_domain_delete_protected1_descriptor), >- (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.domaindn)), get_domain_infrastructure_descriptor), >- (ldb.Dn(samdb, "CN=Builtin,%s" % str(names.domaindn)), get_domain_builtin_descriptor), >- (ldb.Dn(samdb, "CN=Computers,%s" % str(names.domaindn)), get_domain_computers_descriptor), >- (ldb.Dn(samdb, "CN=Users,%s" % str(names.domaindn)), get_domain_users_descriptor), >- (ldb.Dn(samdb, "OU=Domain Controllers,%s" % str(names.domaindn)), get_domain_controllers_descriptor), >- (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn)), get_dns_domain_microsoft_dns_descriptor), >- >- (ldb.Dn(samdb, "%s" % str(names.configdn)), get_config_descriptor), >- (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(names.configdn)), get_config_ntds_quotas_descriptor), >- (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >- (ldb.Dn(samdb, "CN=Services,%s" % str(names.configdn)), get_config_delete_protected1_descriptor), >- (ldb.Dn(samdb, "CN=Physical Locations,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >- (ldb.Dn(samdb, "CN=WellKnown Security Principals,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >- (ldb.Dn(samdb, "CN=ForestUpdates,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor), >- (ldb.Dn(samdb, "CN=DisplaySpecifiers,%s" % str(names.configdn)), get_config_delete_protected2_descriptor), >- (ldb.Dn(samdb, "CN=Extended-Rights,%s" % str(names.configdn)), get_config_delete_protected2_descriptor), >- (ldb.Dn(samdb, "CN=Partitions,%s" % str(names.configdn)), get_config_partitions_descriptor), >- (ldb.Dn(samdb, "CN=Sites,%s" % str(names.configdn)), get_config_sites_descriptor), >- >- (ldb.Dn(samdb, "%s" % str(names.schemadn)), get_schema_descriptor), >+ (ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor), >+ (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor), >+ (ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor), >+ (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor), >+ (ldb.Dn(samdb, "CN=Builtin,%s" % str(samdb.domain_dn())), get_domain_builtin_descriptor), >+ (ldb.Dn(samdb, "CN=Computers,%s" % str(samdb.domain_dn())), get_domain_computers_descriptor), >+ (ldb.Dn(samdb, "CN=Users,%s" % str(samdb.domain_dn())), get_domain_users_descriptor), >+ (ldb.Dn(samdb, "OU=Domain Controllers,%s" % str(samdb.domain_dn())), get_domain_controllers_descriptor), >+ (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor), >+ >+ (ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor), >+ (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor), >+ (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor), >+ (ldb.Dn(samdb, "CN=Physical Locations,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=WellKnown Security Principals,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=ForestUpdates,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor), >+ (ldb.Dn(samdb, "CN=DisplaySpecifiers,%s" % str(samdb.get_config_basedn())), get_config_delete_protected2_descriptor), >+ (ldb.Dn(samdb, "CN=Extended-Rights,%s" % str(samdb.get_config_basedn())), get_config_delete_protected2_descriptor), >+ (ldb.Dn(samdb, "CN=Partitions,%s" % str(samdb.get_config_basedn())), get_config_partitions_descriptor), >+ (ldb.Dn(samdb, "CN=Sites,%s" % str(samdb.get_config_basedn())), get_config_sites_descriptor), >+ >+ (ldb.Dn(samdb, "%s" % str(samdb.get_schema_basedn())), get_schema_descriptor), > ] > >- if names.dnsforestdn is not None: >- c = (ldb.Dn(samdb, "%s" % str(names.dnsforestdn)), get_dns_partition_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsforestdn)), >- get_domain_delete_protected1_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsforestdn)), >- get_domain_delete_protected2_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsforestdn)), >- get_dns_forest_microsoft_dns_descriptor) >- subcontainers.append(c) >- >- if names.dnsdomaindn is not None: >- c = (ldb.Dn(samdb, "%s" % str(names.dnsdomaindn)), get_dns_partition_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsdomaindn)), >- get_domain_delete_protected1_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsdomaindn)), >- get_domain_delete_protected2_descriptor) >- subcontainers.append(c) >- c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsdomaindn)), >- get_dns_domain_microsoft_dns_descriptor) >- subcontainers.append(c) >+ current = samdb.search(expression="(objectClass=*)", >+ base="", scope=ldb.SCOPE_BASE, >+ attrs=["namingContexts"]) >+ >+ for nc in current[0]["namingContexts"]: >+ >+ dnsforestdn = ldb.Dn(samdb, "DC=ForestDnsZones,%s" % (str(samdb.get_root_basedn()))) >+ if ldb.Dn(samdb, nc) == dnsforestdn: >+ c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)), >+ get_domain_delete_protected1_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(dnsforestdn)), >+ get_domain_delete_protected2_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(dnsforestdn)), >+ get_dns_forest_microsoft_dns_descriptor) >+ subcontainers.append(c) >+ continue >+ >+ dnsdomaindn = ldb.Dn(samdb, "DC=DomainDnsZones,%s" % (str(samdb.domain_dn()))) >+ if ldb.Dn(samdb, nc) == dnsdomaindn: >+ c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)), >+ get_domain_delete_protected1_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(dnsdomaindn)), >+ get_domain_delete_protected2_descriptor) >+ subcontainers.append(c) >+ c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(dnsdomaindn)), >+ get_dns_domain_microsoft_dns_descriptor) >+ subcontainers.append(c) > > return subcontainers >diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision >index c0ce040..92d5773 100755 >--- a/source4/scripting/bin/samba_upgradeprovision >+++ b/source4/scripting/bin/samba_upgradeprovision >@@ -1211,7 +1211,7 @@ def fix_wellknown_sd(samdb, names): > > list_wellknown_dns = [] > >- subcontainers = get_wellknown_sds(names, samdb) >+ subcontainers = get_wellknown_sds(samdb) > > for [dn, descriptor_fn] in subcontainers: > list_wellknown_dns.append(dn) >-- >1.7.11.7 > > >From 956eb90fa46ec43590e9fbf843b5753dc6f18f64 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 22 Mar 2013 16:19:27 +1100 >Subject: [PATCH 06/12] scripting: Move get_diff_sds from samba.upgradehelpers > to samba.descriptor > >This helps avoid a dependency loop when we use get_diff_sds in dbcheck. > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 9040e2684161ce75738e9da0fee191aa34858607) >--- > python/samba/descriptor.py | 154 +++++++++++++++++++++++++++ > python/samba/tests/upgradeprovision.py | 4 +- > python/samba/upgradehelpers.py | 153 -------------------------- > source4/scripting/bin/samba_upgradeprovision | 4 +- > 4 files changed, 158 insertions(+), 157 deletions(-) > >diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py >index f9fb3c6..4137bc3 100644 >--- a/python/samba/descriptor.py >+++ b/python/samba/descriptor.py >@@ -30,6 +30,7 @@ from samba.dcerpc import security > from samba.ndr import ndr_pack > from samba.schema import get_schema_descriptor > import ldb >+import re > > # Descriptors of naming contexts and other important objects > >@@ -425,3 +426,156 @@ def get_wellknown_sds(samdb): > subcontainers.append(c) > > return subcontainers >+ >+ >+def chunck_acl(acl): >+ """Return separate ACE of an ACL >+ >+ :param acl: A string representing the ACL >+ :return: A hash with different parts >+ """ >+ >+ p = re.compile(r'(\w+)?(\(.*?\))') >+ tab = p.findall(acl) >+ >+ hash = {} >+ hash["aces"] = [] >+ for e in tab: >+ if len(e[0]) > 0: >+ hash["flags"] = e[0] >+ hash["aces"].append(e[1]) >+ >+ return hash >+ >+ >+def chunck_sddl(sddl): >+ """ Return separate parts of the SDDL (owner, group, ...) >+ >+ :param sddl: An string containing the SDDL to chunk >+ :return: A hash with the different chunk >+ """ >+ >+ p = re.compile(r'([OGDS]:)(.*?)(?=(?:[GDS]:|$))') >+ tab = p.findall(sddl) >+ >+ hash = {} >+ for e in tab: >+ if e[0] == "O:": >+ hash["owner"] = e[1] >+ if e[0] == "G:": >+ hash["group"] = e[1] >+ if e[0] == "D:": >+ hash["dacl"] = e[1] >+ if e[0] == "S:": >+ hash["sacl"] = e[1] >+ >+ return hash >+ >+ >+def get_clean_sd(sd): >+ """Get the SD without any inherited ACEs >+ >+ :param sd: SD to strip >+ :return: An SD with inherited ACEs stripped >+ """ >+ >+ sd_clean = security.descriptor() >+ sd_clean.owner_sid = sd.owner_sid >+ sd_clean.group_sid = sd.group_sid >+ sd_clean.type = sd.type >+ sd_clean.revision = sd.revision >+ >+ aces = [] >+ if sd.sacl is not None: >+ aces = sd.sacl.aces >+ for i in range(0, len(aces)): >+ ace = aces[i] >+ >+ if not ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE: >+ sd_clean.sacl_add(ace) >+ continue >+ >+ aces = [] >+ if sd.dacl is not None: >+ aces = sd.dacl.aces >+ for i in range(0, len(aces)): >+ ace = aces[i] >+ >+ if not ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE: >+ sd_clean.dacl_add(ace) >+ continue >+ return sd_clean >+ >+ >+def get_diff_sds(refsd, cursd, domainsid, checkSacl = True): >+ """Get the difference between 2 sd >+ >+ This function split the textual representation of ACL into smaller >+ chunck in order to not to report a simple permutation as a difference >+ >+ :param refsddl: First sddl to compare >+ :param cursddl: Second sddl to compare >+ :param checkSacl: If false we skip the sacl checks >+ :return: A string that explain difference between sddls >+ """ >+ >+ cursddl = get_clean_sd(cursd).as_sddl(domainsid) >+ refsddl = get_clean_sd(refsd).as_sddl(domainsid) >+ >+ txt = "" >+ hash_cur = chunck_sddl(cursddl) >+ hash_ref = chunck_sddl(refsddl) >+ >+ if not hash_cur.has_key("owner"): >+ txt = "\tNo owner in current SD" >+ elif hash_cur["owner"] != hash_ref["owner"]: >+ txt = "\tOwner mismatch: %s (in ref) %s" \ >+ "(in current)\n" % (hash_ref["owner"], hash_cur["owner"]) >+ >+ if not hash_cur.has_key("group"): >+ txt = "%s\tNo group in current SD" % txt >+ elif hash_cur["group"] != hash_ref["group"]: >+ txt = "%s\tGroup mismatch: %s (in ref) %s" \ >+ "(in current)\n" % (txt, hash_ref["group"], hash_cur["group"]) >+ >+ parts = [ "dacl" ] >+ if checkSacl: >+ parts.append("sacl") >+ for part in parts: >+ if hash_cur.has_key(part) and hash_ref.has_key(part): >+ >+ # both are present, check if they contain the same ACE >+ h_cur = set() >+ h_ref = set() >+ c_cur = chunck_acl(hash_cur[part]) >+ c_ref = chunck_acl(hash_ref[part]) >+ >+ for elem in c_cur["aces"]: >+ h_cur.add(elem) >+ >+ for elem in c_ref["aces"]: >+ h_ref.add(elem) >+ >+ for k in set(h_ref): >+ if k in h_cur: >+ h_cur.remove(k) >+ h_ref.remove(k) >+ >+ if len(h_cur) + len(h_ref) > 0: >+ txt = "%s\tPart %s is different between reference" \ >+ " and current here is the detail:\n" % (txt, part) >+ >+ for item in h_cur: >+ txt = "%s\t\t%s ACE is not present in the" \ >+ " reference\n" % (txt, item) >+ >+ for item in h_ref: >+ txt = "%s\t\t%s ACE is not present in the" \ >+ " current\n" % (txt, item) >+ >+ elif hash_cur.has_key(part) and not hash_ref.has_key(part): >+ txt = "%s\tReference ACL hasn't a %s part\n" % (txt, part) >+ elif not hash_cur.has_key(part) and hash_ref.has_key(part): >+ txt = "%s\tCurrent ACL hasn't a %s part\n" % (txt, part) >+ >+ return txt >diff --git a/python/samba/tests/upgradeprovision.py b/python/samba/tests/upgradeprovision.py >index 4c80bf8..e4da593 100644 >--- a/python/samba/tests/upgradeprovision.py >+++ b/python/samba/tests/upgradeprovision.py >@@ -19,9 +19,9 @@ > > import os > from samba.upgradehelpers import (usn_in_range, dn_sort, >- get_diff_sds, update_secrets, >+ update_secrets, > construct_existor_expr) >- >+from samba.descriptor import get_diff_sds > from samba.tests.provision import create_dummy_secretsdb > from samba.tests import TestCaseInTempDir > from samba import Ldb >diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py >index 13a3691..04f1e82 100644 >--- a/python/samba/upgradehelpers.py >+++ b/python/samba/upgradehelpers.py >@@ -302,159 +302,6 @@ def identic_rename(ldbobj, dn): > ldbobj.rename(ldb.Dn(ldbobj, "%s=foo%s" % (before, after)), dn, ["relax:0"]) > > >-def chunck_acl(acl): >- """Return separate ACE of an ACL >- >- :param acl: A string representing the ACL >- :return: A hash with different parts >- """ >- >- p = re.compile(r'(\w+)?(\(.*?\))') >- tab = p.findall(acl) >- >- hash = {} >- hash["aces"] = [] >- for e in tab: >- if len(e[0]) > 0: >- hash["flags"] = e[0] >- hash["aces"].append(e[1]) >- >- return hash >- >- >-def chunck_sddl(sddl): >- """ Return separate parts of the SDDL (owner, group, ...) >- >- :param sddl: An string containing the SDDL to chunk >- :return: A hash with the different chunk >- """ >- >- p = re.compile(r'([OGDS]:)(.*?)(?=(?:[GDS]:|$))') >- tab = p.findall(sddl) >- >- hash = {} >- for e in tab: >- if e[0] == "O:": >- hash["owner"] = e[1] >- if e[0] == "G:": >- hash["group"] = e[1] >- if e[0] == "D:": >- hash["dacl"] = e[1] >- if e[0] == "S:": >- hash["sacl"] = e[1] >- >- return hash >- >- >-def get_clean_sd(sd): >- """Get the SD without any inherited ACEs >- >- :param sd: SD to strip >- :return: An SD with inherited ACEs stripped >- """ >- >- sd_clean = security.descriptor() >- sd_clean.owner_sid = sd.owner_sid >- sd_clean.group_sid = sd.group_sid >- sd_clean.type = sd.type >- sd_clean.revision = sd.revision >- >- aces = [] >- if sd.sacl is not None: >- aces = sd.sacl.aces >- for i in range(0, len(aces)): >- ace = aces[i] >- >- if not ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE: >- sd_clean.sacl_add(ace) >- continue >- >- aces = [] >- if sd.dacl is not None: >- aces = sd.dacl.aces >- for i in range(0, len(aces)): >- ace = aces[i] >- >- if not ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE: >- sd_clean.dacl_add(ace) >- continue >- return sd_clean >- >- >-def get_diff_sds(refsd, cursd, domainsid, checkSacl = True): >- """Get the difference between 2 sd >- >- This function split the textual representation of ACL into smaller >- chunck in order to not to report a simple permutation as a difference >- >- :param refsddl: First sddl to compare >- :param cursddl: Second sddl to compare >- :param checkSacl: If false we skip the sacl checks >- :return: A string that explain difference between sddls >- """ >- >- cursddl = get_clean_sd(cursd).as_sddl(domainsid) >- refsddl = get_clean_sd(refsd).as_sddl(domainsid) >- >- txt = "" >- hash_cur = chunck_sddl(cursddl) >- hash_ref = chunck_sddl(refsddl) >- >- if not hash_cur.has_key("owner"): >- txt = "\tNo owner in current SD" >- elif hash_cur["owner"] != hash_ref["owner"]: >- txt = "\tOwner mismatch: %s (in ref) %s" \ >- "(in current)\n" % (hash_ref["owner"], hash_cur["owner"]) >- >- if not hash_cur.has_key("group"): >- txt = "%s\tNo group in current SD" % txt >- elif hash_cur["group"] != hash_ref["group"]: >- txt = "%s\tGroup mismatch: %s (in ref) %s" \ >- "(in current)\n" % (txt, hash_ref["group"], hash_cur["group"]) >- >- parts = [ "dacl" ] >- if checkSacl: >- parts.append("sacl") >- for part in parts: >- if hash_cur.has_key(part) and hash_ref.has_key(part): >- >- # both are present, check if they contain the same ACE >- h_cur = set() >- h_ref = set() >- c_cur = chunck_acl(hash_cur[part]) >- c_ref = chunck_acl(hash_ref[part]) >- >- for elem in c_cur["aces"]: >- h_cur.add(elem) >- >- for elem in c_ref["aces"]: >- h_ref.add(elem) >- >- for k in set(h_ref): >- if k in h_cur: >- h_cur.remove(k) >- h_ref.remove(k) >- >- if len(h_cur) + len(h_ref) > 0: >- txt = "%s\tPart %s is different between reference" \ >- " and current here is the detail:\n" % (txt, part) >- >- for item in h_cur: >- txt = "%s\t\t%s ACE is not present in the" \ >- " reference\n" % (txt, item) >- >- for item in h_ref: >- txt = "%s\t\t%s ACE is not present in the" \ >- " current\n" % (txt, item) >- >- elif hash_cur.has_key(part) and not hash_ref.has_key(part): >- txt = "%s\tReference ACL hasn't a %s part\n" % (txt, part) >- elif not hash_cur.has_key(part) and hash_ref.has_key(part): >- txt = "%s\tCurrent ACL hasn't a %s part\n" % (txt, part) >- >- return txt >- >- > def update_secrets(newsecrets_ldb, secrets_ldb, messagefunc): > """Update secrets.ldb > >diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision >index 92d5773..88e0206 100755 >--- a/source4/scripting/bin/samba_upgradeprovision >+++ b/source4/scripting/bin/samba_upgradeprovision >@@ -46,7 +46,7 @@ from ldb import (SCOPE_SUBTREE, SCOPE_BASE, > MessageElement, Message, Dn, LdbError) > from samba import param, dsdb, Ldb > from samba.common import confirm >-from samba.descriptor import get_wellknown_sds, get_empty_descriptor >+from samba.descriptor import get_wellknown_sds, get_empty_descriptor, get_diff_sds > from samba.provision import (find_provision_key_parameters, > ProvisioningError, get_last_provision_usn, > get_max_usn, update_provision_usn, setup_path) >@@ -57,7 +57,7 @@ from samba.dcerpc.security import ( > from samba.ndr import ndr_unpack > from samba.upgradehelpers import (dn_sort, get_paths, newprovision, > get_ldbs, findprovisionrange, >- usn_in_range, identic_rename, get_diff_sds, >+ usn_in_range, identic_rename, > update_secrets, CHANGE, ERROR, SIMPLE, > CHANGEALL, GUESS, CHANGESD, PROVISION, > updateOEMInfo, getOEMInfo, update_gpo, >-- >1.7.11.7 > > >From cff823818707e9cf26b6f7bbf535c1ad1368b58a Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 11 Feb 2013 14:49:01 +1100 >Subject: [PATCH 07/12] samba-tool dbcheck: Add --reset-well-known-acls > >This will allow an upgrade from Samba 4.0.0 without needing to run >samba_upgradeprovision, which for now is not the preferred upgrade >tool. > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 810f8b48d925ea15f3439c4b228741d8fddaccd8) >--- > python/samba/dbchecker.py | 68 ++++++++++++++++++++++++++++++++++++++++-- > python/samba/netcmd/dbcheck.py | 7 +++-- > 2 files changed, 71 insertions(+), 4 deletions(-) > >diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py >index fd42a78..39a2b4f 100644 >--- a/python/samba/dbchecker.py >+++ b/python/samba/dbchecker.py >@@ -25,13 +25,15 @@ from samba.ndr import ndr_unpack, ndr_pack > from samba.dcerpc import drsblobs > from samba.common import dsdb_Dn > from samba.dcerpc import security >+from samba.descriptor import get_wellknown_sds, get_diff_sds > > > class dbcheck(object): > """check a SAM database for errors""" > > def __init__(self, samdb, samdb_schema=None, verbose=False, fix=False, >- yes=False, quiet=False, in_transaction=False): >+ yes=False, quiet=False, in_transaction=False, >+ reset_well_known_acls=False): > self.samdb = samdb > self.dict_oid_name = None > self.samdb_schema = (samdb_schema or samdb) >@@ -55,6 +57,8 @@ class dbcheck(object): > self.seize_fsmo_role = False > self.move_to_lost_and_found = False > self.fix_instancetype = False >+ self.reset_well_known_acls = reset_well_known_acls >+ self.reset_all_well_known_acls = False > self.in_transaction = in_transaction > self.infrastructure_dn = ldb.Dn(samdb, "CN=Infrastructure," + samdb.domain_dn()) > self.naming_dn = ldb.Dn(samdb, "CN=Partitions,%s" % samdb.get_config_basedn()) >@@ -62,6 +66,18 @@ class dbcheck(object): > self.rid_dn = ldb.Dn(samdb, "CN=RID Manager$,CN=System," + samdb.domain_dn()) > self.ntds_dsa = ldb.Dn(samdb, samdb.get_dsServiceName()) > self.class_schemaIDGUID = {} >+ self.wellknown_sds = get_wellknown_sds(self.samdb) >+ >+ self.name_map = {} >+ try: >+ res = samdb.search(base="CN=DnsAdmins,CN=Users,%s" % samdb.domain_dn(), scope=ldb.SCOPE_BASE, >+ attrs=["objectSid"]) >+ dnsadmins_sid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0]) >+ self.name_map['DnsAdmins'] = str(dnsadmins_sid) >+ except ldb.LdbError, (enum, estr): >+ if enum != ldb.ERR_NO_SUCH_OBJECT: >+ raise >+ pass > > res = self.samdb.search(base=self.ntds_dsa, scope=ldb.SCOPE_BASE, attrs=['msDS-hasMasterNCs', 'hasMasterNCs']) > if "msDS-hasMasterNCs" in res[0]: >@@ -739,7 +755,29 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) > nmsg.dn = dn > nmsg[sd_attr] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_REPLACE, sd_attr) > if self.do_modify(nmsg, ["sd_flags:1:%d" % sd_flags], >- "Failed to fix metadata for attribute %s" % sd_attr): >+ "Failed to fix attribute %s" % sd_attr): >+ self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn)) >+ >+ def err_wrong_default_sd(self, dn, sd, sd_old, diff): >+ '''re-write the SD due to not matching the default (optional mode for fixing an incorrect provision)''' >+ sd_attr = "nTSecurityDescriptor" >+ sd_val = ndr_pack(sd) >+ sd_old_val = ndr_pack(sd_old) >+ sd_flags = security.SECINFO_DACL | security.SECINFO_SACL >+ if sd.owner_sid is not None: >+ sd_flags |= security.SECINFO_OWNER >+ if sd.group_sid is not None: >+ sd_flags |= security.SECINFO_GROUP >+ >+ if not self.confirm_all('Reset %s on %s back to provision default?\n%s' % (sd_attr, dn, diff), 'reset_all_well_known_acls'): >+ self.report('Not resetting %s on %s\n' % (sd_attr, dn)) >+ return >+ >+ m = ldb.Message() >+ m.dn = dn >+ m[sd_attr] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_REPLACE, sd_attr) >+ if self.do_modify(m, ["sd_flags:1:%d" % sd_flags], >+ "Failed to reset attribute %s" % sd_attr): > self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn)) > > def is_fsmo_role(self, dn): >@@ -774,6 +812,16 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) > > return instancetype > >+ def get_wellknown_sd(self, dn): >+ for [sd_dn, descriptor_fn] in self.wellknown_sds: >+ if dn == sd_dn: >+ domain_sid = security.dom_sid(self.samdb.get_domain_sid()) >+ return ndr_unpack(security.descriptor, >+ descriptor_fn(domain_sid, >+ name_map=self.name_map)) >+ >+ raise KeyError >+ > def check_object(self, dn, attrs=['*']): > '''check one object''' > if self.verbose: >@@ -826,6 +874,22 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) > if sd_broken is not None: > self.err_wrong_sd(dn, sd, sd_broken) > error_count += 1 >+ continue >+ >+ if self.reset_well_known_acls: >+ try: >+ well_known_sd = self.get_wellknown_sd(dn) >+ except KeyError: >+ continue >+ >+ current_sd = ndr_unpack(security.descriptor, >+ str(obj[attrname][0])) >+ >+ diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid())) >+ if diff != "": >+ self.err_wrong_default_sd(dn, well_known_sd, current_sd, diff) >+ error_count += 1 >+ continue > continue > > if str(attrname).lower() == 'objectclass': >diff --git a/python/samba/netcmd/dbcheck.py b/python/samba/netcmd/dbcheck.py >index 889b0ff..4cc0631 100644 >--- a/python/samba/netcmd/dbcheck.py >+++ b/python/samba/netcmd/dbcheck.py >@@ -56,6 +56,7 @@ class cmd_dbcheck(Command): > Option("--attrs", dest="attrs", default=None, help="list of attributes to check (space separated)"), > Option("--reindex", dest="reindex", default=False, action="store_true", help="force database re-index"), > Option("--force-modules", dest="force_modules", default=False, action="store_true", help="force loading of Samba modules and ignore the @MODULES record (for very old databases)"), >+ Option("--reset-well-known-acls", dest="reset_well_known_acls", default=False, action="store_true", help="reset ACLs on objects with well known default ACL values to the default"), > Option("-H", "--URL", help="LDB URL for database or target server (defaults to local SAM database)", > type=str, metavar="URL", dest="H"), > ] >@@ -63,7 +64,8 @@ class cmd_dbcheck(Command): > def run(self, DN=None, H=None, verbose=False, fix=False, yes=False, > cross_ncs=False, quiet=False, > scope="SUB", credopts=None, sambaopts=None, versionopts=None, >- attrs=None, reindex=False, force_modules=False): >+ attrs=None, reindex=False, force_modules=False, >+ reset_well_known_acls=False): > > lp = sambaopts.get_loadparm() > >@@ -114,7 +116,8 @@ class cmd_dbcheck(Command): > started_transaction = True > try: > chk = dbcheck(samdb, samdb_schema=samdb_schema, verbose=verbose, >- fix=fix, yes=yes, quiet=quiet, in_transaction=started_transaction) >+ fix=fix, yes=yes, quiet=quiet, in_transaction=started_transaction, >+ reset_well_known_acls=reset_well_known_acls) > > if reindex: > self.outf.write("Re-indexing...\n") >-- >1.7.11.7 > > >From 54b9959d148cb4c47a72320d0b740f3dfdd6bc4a Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 11 Feb 2013 14:49:01 +1100 >Subject: [PATCH 08/12] samba-tool dbcheck: Allow dbcheck to correct an > nTSecurityDescriptor without an owner or group > >This is done by making a modification to the SD, which triggers it to be >filled in if we have the correct session_info established on the DB. > >However, we normally want dbcheck running as system, so we wrap >the session_info set around this operation only. > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 4789a3072a4241841c096115dbdb0c3259968e68) >--- > python/samba/dbchecker.py | 41 +++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 41 insertions(+) > >diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py >index 39a2b4f..d0d0ab3 100644 >--- a/python/samba/dbchecker.py >+++ b/python/samba/dbchecker.py >@@ -26,6 +26,7 @@ from samba.dcerpc import drsblobs > from samba.common import dsdb_Dn > from samba.dcerpc import security > from samba.descriptor import get_wellknown_sds, get_diff_sds >+from samba.auth import system_session, admin_session > > > class dbcheck(object): >@@ -54,6 +55,7 @@ class dbcheck(object): > self.fix_all_orphaned_backlinks = False > self.fix_rmd_flags = False > self.fix_ntsecuritydescriptor = False >+ self.fix_ntsecuritydescriptor_owner_group = False > self.seize_fsmo_role = False > self.move_to_lost_and_found = False > self.fix_instancetype = False >@@ -79,6 +81,9 @@ class dbcheck(object): > raise > pass > >+ self.system_session_info = system_session() >+ self.admin_session_info = admin_session(None, samdb.get_domain_sid()) >+ > res = self.samdb.search(base=self.ntds_dsa, scope=ldb.SCOPE_BASE, attrs=['msDS-hasMasterNCs', 'hasMasterNCs']) > if "msDS-hasMasterNCs" in res[0]: > self.write_ncs = res[0]["msDS-hasMasterNCs"] >@@ -780,6 +785,37 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) > "Failed to reset attribute %s" % sd_attr): > self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn)) > >+ def err_missing_sd_owner(self, dn, sd): >+ '''re-write the SD due to a missing owner or group''' >+ sd_attr = "nTSecurityDescriptor" >+ sd_val = ndr_pack(sd) >+ sd_flags = security.SECINFO_OWNER | security.SECINFO_GROUP >+ >+ if not self.confirm_all('Fix missing owner or group in %s on %s?' % (sd_attr, dn), 'fix_ntsecuritydescriptor_owner_group'): >+ self.report('Not fixing missing owner or group %s on %s\n' % (sd_attr, dn)) >+ return >+ >+ nmsg = ldb.Message() >+ nmsg.dn = dn >+ nmsg[sd_attr] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_REPLACE, sd_attr) >+ >+ # By setting the session_info to admin_session_info and >+ # setting the security.SECINFO_OWNER | security.SECINFO_GROUP >+ # flags we cause the descriptor module to set the correct >+ # owner and group on the SD, replacing the None/NULL values >+ # for owner_sid and group_sid currently present. >+ # >+ # The admin_session_info matches that used in provision, and >+ # is the best guess we can make for an existing object that >+ # hasn't had something specifically set. >+ # >+ # This is important for the dns related naming contexts. >+ self.samdb.set_session_info(self.admin_session_info) >+ if self.do_modify(nmsg, ["sd_flags:1:%d" % sd_flags], >+ "Failed to fix metadata for attribute %s" % sd_attr): >+ self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn)) >+ self.samdb.set_session_info(self.system_session_info) >+ > def is_fsmo_role(self, dn): > if dn == self.samdb.domain_dn: > return True >@@ -876,6 +912,11 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) > error_count += 1 > continue > >+ if sd.owner_sid is None or sd.group_sid is None: >+ self.err_missing_sd_owner(dn, sd) >+ error_count += 1 >+ continue >+ > if self.reset_well_known_acls: > try: > well_known_sd = self.get_wellknown_sd(dn) >-- >1.7.11.7 > > >From d1116ab8c109a77468de4e68f456cce9b3b0cbbc Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 22 Mar 2013 22:16:03 +1100 >Subject: [PATCH 09/12] scripting: Modify samba.descriptor.get_diff_sds() to > cope with a missing reference owner > >This allows the reference SD not to have an owner specified, and still >have the comparison with a database SD that does have an owner pass. >(And the same for owning group). > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 874a93bc1c437543474a6c574b0065b7b953ad38) >--- > python/samba/descriptor.py | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py >index 4137bc3..164b0bf 100644 >--- a/python/samba/descriptor.py >+++ b/python/samba/descriptor.py >@@ -528,13 +528,13 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl = True): > > if not hash_cur.has_key("owner"): > txt = "\tNo owner in current SD" >- elif hash_cur["owner"] != hash_ref["owner"]: >+ elif hash_ref.has_key("owner") and hash_cur["owner"] != hash_ref["owner"]: > txt = "\tOwner mismatch: %s (in ref) %s" \ > "(in current)\n" % (hash_ref["owner"], hash_cur["owner"]) > > if not hash_cur.has_key("group"): > txt = "%s\tNo group in current SD" % txt >- elif hash_cur["group"] != hash_ref["group"]: >+ elif hash_ref.has_key("group") and hash_cur["group"] != hash_ref["group"]: > txt = "%s\tGroup mismatch: %s (in ref) %s" \ > "(in current)\n" % (txt, hash_ref["group"], hash_cur["group"]) > >-- >1.7.11.7 > > >From 1bf1cfdec73bd93839af4cdd83fc39a834b71caf Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 22 Mar 2013 17:12:43 +1100 >Subject: [PATCH 10/12] selftest: Add tests for samba-tool dbcheck > --reset-well-known-acls > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 1589e46d11f29551f3598876b62e29fcbad06580) >--- > selftest/knownfail | 1 + > testprogs/blackbox/dbcheck-oldrelease.sh | 64 +++++++++++++++++++++-- > testprogs/blackbox/dbcheck.sh | 6 +++ > testprogs/blackbox/upgradeprovision-oldrelease.sh | 10 ++++ > 4 files changed, 78 insertions(+), 3 deletions(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index 429f396..d455e34 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -163,6 +163,7 @@ > ^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right > ^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right > ^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right >+^samba4.blackbox.dbcheck.release-4-0-0.ldapcmp_sd\(none\) # We do not yet know how to reset the DC ACL with dbcheck > ^samba3.smb2.create.gentest > ^samba3.smb2.create.blob > ^samba3.smb2.create.open >diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh >index 6032bbc..a06e025 100755 >--- a/testprogs/blackbox/dbcheck-oldrelease.sh >+++ b/testprogs/blackbox/dbcheck-oldrelease.sh >@@ -25,16 +25,41 @@ undump() { > } > > reindex() { >- $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ >+ $PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ > } > > # This should 'fail', because it returns the number of modified records > dbcheck() { >- $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ >+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ > } > # But having fixed it all up, this should pass > dbcheck_clean() { >- $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ >+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ >+} >+ >+# This should 'fail', because it returns the number of modified records >+dbcheck_acl_reset() { >+ $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ >+} >+# But having fixed it all up, this should pass >+dbcheck_acl_reset_clean() { >+ $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ >+} >+ >+referenceprovision() { >+ $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 >+} >+ >+ldapcmp() { >+ if [ x$RELEASE != x"alpha13" ]; then >+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord >+ fi >+} >+ >+ldapcmp_sd() { >+ if [ x$RELEASE != x"alpha13" ]; then >+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --sd --skip-missing-dn >+ fi > } > > if [ -d $release_dir ]; then >@@ -42,6 +67,11 @@ if [ -d $release_dir ]; then > testit "reindex" reindex > testit_expect_failure "dbcheck" dbcheck > testit "dbcheck_clean" dbcheck_clean >+ testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset >+ testit "dbcheck_acl_reset_clean" dbcheck_acl_reset_clean >+ testit "referenceprovision" referenceprovision >+ testit "ldapcmp" ldapcmp >+ testit "ldapcmp_sd" ldapcmp_sd > else > subunit_start_test $RELEASE > subunit_skip_test $RELEASE <<EOF >@@ -60,6 +90,34 @@ EOF > subunit_skip_test "dbcheck_clean" <<EOF > no test provision > EOF >+ subunit_start_test "dbcheck_acl_reset" >+ subunit_skip_test "dbcheck_acl_reset" <<EOF >+no test provision >+EOF >+ subunit_start_test "dbcheck_clean_acl_reset" >+ subunit_skip_test "dbcheck_clean_acl_reset" <<EOF >+no test provision >+EOF >+ subunit_start_test "referenceprovision" >+ subunit_skip_test "referenceprovision" <<EOF >+no test provision >+EOF >+ subunit_start_test "ldapcmp" >+ subunit_skip_test "ldapcmp" <<EOF >+no test provision >+EOF >+ subunit_start_test "ldapcmp_sd" >+ subunit_skip_test "ldapcmp_sd" <<EOF >+no test provision >+EOF >+fi >+ >+if [ -d $PREFIX_ABS/${RELEASE} ]; then >+ rm -fr $PREFIX_ABS/${RELEASE} >+fi >+ >+if [ -d $PREFIX_ABS/${RELEASE}_reference ]; then >+ rm -fr $PREFIX_ABS/${RELEASE}_reference > fi > > exit $failed >diff --git a/testprogs/blackbox/dbcheck.sh b/testprogs/blackbox/dbcheck.sh >index faf6fab..c1e8aaf 100755 >--- a/testprogs/blackbox/dbcheck.sh >+++ b/testprogs/blackbox/dbcheck.sh >@@ -16,6 +16,12 @@ dbcheck() { > $BINDIR/samba-tool dbcheck --cross-ncs $@ > } > >+# This test shows that this does not do anything to a current >+# provision (that would be a bug) >+dbcheck_reset_well_known_acls() { >+ $BINDIR/samba-tool dbcheck --cross-ncs --reset-well-known-acls $@ >+} >+ > reindex() { > $BINDIR/samba-tool dbcheck --reindex > } >diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh >index 105483d..d12c2cf 100755 >--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh >+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh >@@ -68,6 +68,11 @@ dbcheck_full_clean() { > $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@ > } > >+# This checks that after the upgrade, the well known ACLs are correct, so this reset should not want to do anything >+dbcheck_full_clean_well_known_acls() { >+ $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@ >+} >+ > upgradeprovision() { > $PYTHON $BINDIR/samba_upgradeprovision -s "$PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf" --debugchange > } >@@ -124,6 +129,7 @@ if [ -d $release_dir ]; then > testit_expect_failure "dbcheck_full" dbcheck_full > testit "dbcheck_clean" dbcheck_clean > testit "dbcheck_full_clean" dbcheck_full_clean >+ testit "dbcheck_full_clean_well_known_acls" dbcheck_full_clean_well_known_acls > testit "referenceprovision" referenceprovision > testit "samba_upgradedns" samba_upgradedns > testit "ldapcmp" ldapcmp >@@ -171,6 +177,10 @@ EOF > subunit_skip_test "dbcheck_full_clean" <<EOF > no test provision > EOF >+ subunit_start_test "dbcheck_full_clean_well_known_acls" >+ subunit_skip_test "dbcheck_full_clean_well_known_acls" <<EOF >+no test provision >+EOF > subunit_start_test "samba_dnsupgrade" > subunit_skip_test "samba_dnsupgrade" <<EOF > no test provision >-- >1.7.11.7 > > >From 1fb5331c9f0cd030d63d47af0327f3958f7f0ef5 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 22 Mar 2013 21:36:49 +1100 >Subject: [PATCH 11/12] samba-tool ldapcmp: Remove the GUID -> name mappings > >These mappings are very convenient, however because they are not >one-to-one, they lead to differences being reported when none exist, >dependent only on the order the schema searches return results in. > >Sadly the time saved by the names is offset by the time wasted chasing >the 'differences' that don't exist. > >This in turn fixes some tests that were previously knownfail > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 5d42260eecfd4f26cc82637ce1bc989083c9eb9d) >--- > python/samba/netcmd/ldapcmp.py | 47 ++++-------------------------------------- > selftest/knownfail | 8 +++---- > 2 files changed, 7 insertions(+), 48 deletions(-) > >diff --git a/python/samba/netcmd/ldapcmp.py b/python/samba/netcmd/ldapcmp.py >index 6e025a2..7bd118e 100644 >--- a/python/samba/netcmd/ldapcmp.py >+++ b/python/samba/netcmd/ldapcmp.py >@@ -80,7 +80,6 @@ class LDAPBase(object): > self.server_names = self.find_servers() > self.domain_name = re.sub("[Dd][Cc]=", "", self.base_dn).replace(",", ".") > self.domain_sid = self.find_domain_sid() >- self.get_guid_map() > self.get_sid_map() > # > # Log some domain controller specific place-holers that are being used >@@ -250,20 +249,6 @@ class LDAPBase(object): > assert index == len(blob) > return res.strip().replace(" ", "-") > >- def get_guid_map(self): >- """ Build dictionary that maps GUID to 'name' attribute found in Schema or Extended-Rights. >- """ >- self.guid_map = {} >- res = self.ldb.search(base=self.schema_dn, >- expression="(schemaIdGuid=*)", scope=SCOPE_SUBTREE, attrs=["schemaIdGuid", "name"]) >- for item in res: >- self.guid_map[self.guid_as_string(item["schemaIdGuid"]).lower()] = item["name"][0] >- # >- res = self.ldb.search(base="cn=extended-rights,%s" % self.config_dn, >- expression="(rightsGuid=*)", scope=SCOPE_SUBTREE, attrs=["rightsGuid", "name"]) >- for item in res: >- self.guid_map[str(item["rightsGuid"]).lower()] = item["name"][0] >- > def get_sid_map(self): > """ Build dictionary that maps GUID to 'name' attribute found in Schema or Extended-Rights. > """ >@@ -299,22 +284,6 @@ class Descriptor(object): > return [] > return re.findall("(\(.*?\))", res) > >- def fix_guid(self, ace): >- res = "%s" % ace >- guids = re.findall("[a-z0-9]+?-[a-z0-9]+-[a-z0-9]+-[a-z0-9]+-[a-z0-9]+", res) >- # If there are not GUIDs to replace return the same ACE >- if len(guids) == 0: >- return res >- for guid in guids: >- try: >- name = self.con.guid_map[guid.lower()] >- res = res.replace(guid, name) >- except KeyError: >- # Do not bother if the GUID is not found in >- # cn=Schema or cn=Extended-Rights >- pass >- return res >- > def fix_sid(self, ace): > res = "%s" % ace > sids = re.findall("S-[-0-9]+", res) >@@ -330,14 +299,6 @@ class Descriptor(object): > pass > return res > >- def fixit(self, ace): >- """ Combine all replacement methods in one >- """ >- res = "%s" % ace >- res = self.fix_guid(res) >- res = self.fix_sid(res) >- return res >- > def diff_1(self, other): > res = "" > if len(self.dacl_list) != len(other.dacl_list): >@@ -361,8 +322,8 @@ class Descriptor(object): > other_ace = "" > if len(self_ace) + len(other_ace) == 0: > break >- self_ace_fixed = "%s" % self.fixit(self_ace) >- other_ace_fixed = "%s" % other.fixit(other_ace) >+ self_ace_fixed = "%s" % self.fix_sid(self_ace) >+ other_ace_fixed = "%s" % other.fix_sid(other_ace) > if self_ace_fixed != other_ace_fixed: > res += "%60s * %s\n" % ( self_ace_fixed, other_ace_fixed ) > flag = False >@@ -383,8 +344,8 @@ class Descriptor(object): > other_aces = [] > self_dacl_list_fixed = [] > other_dacl_list_fixed = [] >- [self_dacl_list_fixed.append( self.fixit(ace) ) for ace in self.dacl_list] >- [other_dacl_list_fixed.append( other.fixit(ace) ) for ace in other.dacl_list] >+ [self_dacl_list_fixed.append( self.fix_sid(ace) ) for ace in self.dacl_list] >+ [other_dacl_list_fixed.append( other.fix_sid(ace) ) for ace in other.dacl_list] > for ace in self_dacl_list_fixed: > try: > other_dacl_list_fixed.index(ace) >diff --git a/selftest/knownfail b/selftest/knownfail >index d455e34..ecb1934 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -159,11 +159,9 @@ > ^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4 > ^samba4.blackbox.kinit\(.*\).kinit with user password for expired password\(.*\) # We need to work out why this fails only during the pw change > ^samba4.blackbox.dbcheck\(vampire_dc\).dbcheck\(vampire_dc:local\) # Due to replicating with --domain-critical-only we fail dbcheck on this database >-^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right >-^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right >-^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right >-^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right >-^samba4.blackbox.dbcheck.release-4-0-0.ldapcmp_sd\(none\) # We do not yet know how to reset the DC ACL with dbcheck >+^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects >+^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects >+^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects > ^samba3.smb2.create.gentest > ^samba3.smb2.create.blob > ^samba3.smb2.create.open >-- >1.7.11.7 > > >From c7c275cc1dd9e3f160697ae1ce09e49e15209b12 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 22 Mar 2013 21:58:25 +1100 >Subject: [PATCH 12/12] scripting: Fill the ProvisionNames hash with strings, > not ldb.MessageElement or Dn > >This avoids the need to fix it up again in samba_upgradedns. > >Andrew Bartlett > >Reviewed-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Mon Mar 25 13:25:30 CET 2013 on sn-devel-104 >(cherry picked from commit 30adf0cdbae6d9aaf2e72513d9c33267248f20c0) >--- > python/samba/provision/__init__.py | 15 +++++++-------- > source4/scripting/bin/samba_upgradedns | 16 +--------------- > 2 files changed, 8 insertions(+), 23 deletions(-) > >diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py >index 32baac6..f13b7d1 100644 >--- a/python/samba/provision/__init__.py >+++ b/python/samba/provision/__init__.py >@@ -201,9 +201,8 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, > "configurationNamingContext","rootDomainNamingContext", > "namingContexts"]) > >- names.configdn = current[0]["configurationNamingContext"] >- configdn = str(names.configdn) >- names.schemadn = current[0]["schemaNamingContext"] >+ names.configdn = current[0]["configurationNamingContext"][0] >+ names.schemadn = current[0]["schemaNamingContext"][0] > if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb, > current[0]["defaultNamingContext"][0]))): > raise ProvisioningError(("basedn in %s (%s) and from %s (%s)" >@@ -211,8 +210,8 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, > str(current[0]["defaultNamingContext"][0]), > paths.smbconf, basedn))) > >- names.domaindn=current[0]["defaultNamingContext"] >- names.rootdn=current[0]["rootDomainNamingContext"] >+ names.domaindn=current[0]["defaultNamingContext"][0] >+ names.rootdn=current[0]["rootDomainNamingContext"][0] > names.ncs=current[0]["namingContexts"] > names.dnsforestdn = None > names.dnsdomaindn = None >@@ -232,7 +231,7 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, > > # default site name > res3 = samdb.search(expression="(objectClass=site)", >- base="CN=Sites," + configdn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn"]) >+ base="CN=Sites," + names.configdn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn"]) > names.sitename = str(res3[0]["cn"]) > > # dns hostname and server dn >@@ -242,8 +241,8 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, > names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain, "") > > server_res = samdb.search(expression="serverReference=%s" % res4[0].dn, >- attrs=[], base=configdn) >- names.serverdn = server_res[0].dn >+ attrs=[], base=names.configdn) >+ names.serverdn = str(server_res[0].dn) > > # invocation id/objectguid > res5 = samdb.search(expression="(objectClass=*)", >diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns >index f389ef7..3c30090 100755 >--- a/source4/scripting/bin/samba_upgradedns >+++ b/source4/scripting/bin/samba_upgradedns >@@ -83,19 +83,6 @@ def find_bind_gid(): > return None > > >-def fix_names(pnames): >- """Convert elements to strings from MessageElement >- """ >- names = pnames >- names.rootdn = pnames.rootdn[0] >- names.domaindn = pnames.domaindn[0] >- names.configdn = pnames.configdn[0] >- names.schemadn = pnames.schemadn[0] >- names.root_gid = pnames.root_gid >- names.serverdn = str(pnames.serverdn) >- return names >- >- > def convert_dns_rdata(rdata, serial=1): > """Convert resource records in dnsRecord format > """ >@@ -270,9 +257,8 @@ if __name__ == '__main__': > paths = get_paths(param, smbconf=lp.configfile) > paths.bind_gid = find_bind_gid() > ldbs = get_ldbs(paths, creds, system_session(), lp) >- pnames = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap, >+ names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap, > paths, lp.configfile, lp) >- names = fix_names(pnames) > > if names.domainlevel < DS_DOMAIN_FUNCTION_2003: > logger.error("Cannot create AD based DNS for OS level < 2003") >-- >1.7.11.7 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8681">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 9740
: 8681